Security News > 2020 > June > GnuTLS patches huge security hole that hung around for two years – worse than Heartbleed, says Google cryptoboffin

GnuTLS, a widely used open source library implementing Transport Layer Security, last week fixed a bug that had been hiding in the code for almost two years that made resumed TLS 1.3 sessions vulnerable to attack.
The flaw allowed GnuTLS servers to use session tickets issued during a previous secure TLS 1.3 session without accessing the function that generates secret keys, gnutls session ticket key generate().
The bug, introduced in GnuTLS 3.6.4, was fixed in GnuTLS 3.6.14.
Ayer has been critical of GnuTLS in the past, referring to it as a "Clownish" TLS implementation in a blog post about the expiration of Sectigo's AddTrust legacy root certificate, which affected GnuTLS. Others echoed his disdain for GnuTLS, with some arguing for its removal as a dependency.
"Never use GnuTLS," quipped Thomas H. Ptacek, a security researcher and founder of Matasano Security.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/06/10/gnutls_patches_security_hole/
Related news
- Google Acquires Wiz for $32 Billion in Its Biggest Deal Ever to Boost Cloud Security (source)
- Google to purchase Wiz for $32 billion in cloud security play (source)
- Google's got a hot cloud infosec startup, a new unified platform — and its eye on Microsoft's $20B+ security biz (source)
- Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products (source)